---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: insert-podantiaffinity
spec:
  admission: true
  background: true
  rules:
  - match:
      any:
      - resources:
          kinds:
          - Deployment
    mutate:
      patchStrategicMerge:
        spec:
          template:
            spec:
              +(affinity):
                +(podAntiAffinity):
                  +(preferredDuringSchedulingIgnoredDuringExecution):
                  - podAffinityTerm:
                      labelSelector:
                        matchExpressions:
                        - key: app
                          operator: In
                          values:
                          - '{{request.object.metadata.labels.app}}'
                      topologyKey: kubernetes.io/hostname
                    weight: 1
    name: insert-podantiaffinity
    preconditions:
      all:
      - key: '{{request.object.metadata.labels.app}}'
        operator: NotEquals
        value: ""
  validationFailureAction: Audit